Ohio Governor's Statement on Inspector General Findings Regarding Theft of Data Device

Ohio Governor Ted Strickland responded Friday to the State Inspector General Report of Investigation regarding the circumstances surrounding the theft of a computer back-up device.

"I appreciate the Inspector General's thorough review of the circumstances surrounding the theft of the state data device. The state is taking every precaution to ensure that this type of incident is prevented from occurring again," Strickland said. "We are attempting to hold accountable those determined to bear some responsibility for placing the sensitive, personal information of so many Ohioans at risk."

The Inspector General investigation determined that: "OAKS administrators failed to protect confidential information by authorizing state employees, including college interns, to take backup tapes containing sensitive data to their homes for overnight storage"; "OAKS, OIT (Office of Information Technology) and OBM (Office of Budget and Management) officials failed to report the theft of confidential information to state and law enforcement officials in a timely manner"; and "OAKS administrators failed to protect confidential information by allowing personnel to store sensitive data in an unsecured folder on the OAKS intranet." The Inspector General found no evidence to suggest state agencies or employees engaged in criminal or illegal behavior surrounding these circumstances.

The full Inspector General report can be found here: www.watchdog.ohio.gov.

Based on the findings, the Inspector General made seven recommendations, listed below. Following each recommendation are the state's actions in response.

IG Recommendation:

1. OBM, DAS and OIT should take appropriate disciplinary action against individuals responsible for losing the data tape; failing to ensure that Hilliard police were apprised of the potential seriousness of the theft; downplaying the seriousness of the theft to supervisors; and failing to ensure that sensitive information was removed from the OAKS I: drive.

State's Action:

For the reasons outlined in the report:

A. The Department of Administrative Services has accepted the resignation of OAKS Project Manager David White.

B. The Office of Budget and Management, after asking for his voluntary resignation and being refused, has discharged Intern Jared Ilovar.

C. The Office of Budget and Management has terminated the OAKS consulting contract for Compuware employees Avadhut Kulkarni, immediate supervisor to OAKS interns, and Brian Welch, OAKS assistant program manager.

D. The governor has directed Department of Administrative Services Director Hugh Quill to begin the appropriate classified employee administrative disciplinary review with respect to OAKS Team Leads Phil Rowe and Jerry Miller.

E. The Office of Budget and Management will place an outline of the Inspector General's report findings concerning former OAKS Technical Manager Carl Miller (retired as of June 1, 2007) in his personnel file.

F. The governor has met, today, with OIT Director Steve Edmonson to express his concern regarding the lack of rapid communication surrounding this incident.

IG Recommendation:

2. OBM, DAS and OIT should conduct an administrative review of all state agencies, boards and commissions to determine whether they have authorized employees to take home backup tapes for storage and, if so, order them to cease.

State's Action:

The governor called for the cessation of the longstanding practice of sending sensitive data storage devices home with employees after learning of the data device theft on June 14, 2007. The Office of Information Technology has directed all agencies to cease any such conduct.

An administrative review of all state boards and commissions is underway.

IG Recommendation:

3. OBM, DAS and OIT should ensure that all state agencies, boards and commissions utilize a secure method of storage for sensitive computerized data.

State's Action: